GHSA-xqr9-4wvv-gvch: OpenRemote has Cross-Realm User Information Disclosure in UserResourceImpl
OpenRemote versions prior to 1.24.2 contain a vulnerability in UserResourceImpl where realm administrators can access user information across different realms without proper realm boundary checks. Specifically, three read endpoints allow a realm admin from one tenant to read profile data, client roles, and realm roles of users in other realms, including the master realm, by supplying the target user's UUID. This leads to cross-tenant user enumeration and privilege-level reconnaissance. Write operations correctly enforce realm boundaries, but the read methods lack this protection. No official patch or fix is currently documented.
AI Analysis
Technical Summary
The vulnerability in OpenRemote's UserResourceImpl class arises because three read methods (get, getUserClientRoles, getUserRealmRoles) check only for the read:admin role but do not verify that the target user belongs to the caller's realm. The realm path parameter is accepted but not used to restrict access. This allows a realm admin from one tenant realm to query user details from any other realm, including the master realm, by using the target user's UUID. Write methods in the same class enforce realm boundaries properly, indicating an omission in the read methods. The vulnerability enables cross-realm user information disclosure and privilege reconnaissance in multi-tenant deployments. A proof of concept demonstrates that a tenantb realm admin can retrieve the master realm administrator's profile and roles using the REST API. The affected versions are all versions before 1.24.2. There is no evidence of known exploits in the wild or an official patch available at this time.
Potential Impact
An attacker with realm-admin-level privileges in one tenant can enumerate and read sensitive user information, including profiles and roles, of users in other realms, including the master realm. This breaks tenant isolation in multi-tenant deployments, potentially exposing privileged account details and enabling further privilege escalation or reconnaissance. The vulnerability does not affect integrity or availability directly but compromises confidentiality of user data across realms.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, restrict realm-admin privileges carefully and monitor access to the affected API endpoints. Consider compensating controls such as network segmentation or additional access controls to limit cross-realm API calls. Avoid sharing UUIDs of privileged users across tenants to reduce risk of targeted enumeration.
GHSA-xqr9-4wvv-gvch: OpenRemote has Cross-Realm User Information Disclosure in UserResourceImpl
Description
OpenRemote versions prior to 1.24.2 contain a vulnerability in UserResourceImpl where realm administrators can access user information across different realms without proper realm boundary checks. Specifically, three read endpoints allow a realm admin from one tenant to read profile data, client roles, and realm roles of users in other realms, including the master realm, by supplying the target user's UUID. This leads to cross-tenant user enumeration and privilege-level reconnaissance. Write operations correctly enforce realm boundaries, but the read methods lack this protection. No official patch or fix is currently documented.
CVSS v3.1
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in OpenRemote's UserResourceImpl class arises because three read methods (get, getUserClientRoles, getUserRealmRoles) check only for the read:admin role but do not verify that the target user belongs to the caller's realm. The realm path parameter is accepted but not used to restrict access. This allows a realm admin from one tenant realm to query user details from any other realm, including the master realm, by using the target user's UUID. Write methods in the same class enforce realm boundaries properly, indicating an omission in the read methods. The vulnerability enables cross-realm user information disclosure and privilege reconnaissance in multi-tenant deployments. A proof of concept demonstrates that a tenantb realm admin can retrieve the master realm administrator's profile and roles using the REST API. The affected versions are all versions before 1.24.2. There is no evidence of known exploits in the wild or an official patch available at this time.
Potential Impact
An attacker with realm-admin-level privileges in one tenant can enumerate and read sensitive user information, including profiles and roles, of users in other realms, including the master realm. This breaks tenant isolation in multi-tenant deployments, potentially exposing privileged account details and enabling further privilege escalation or reconnaissance. The vulnerability does not affect integrity or availability directly but compromises confidentiality of user data across realms.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, restrict realm-admin privileges carefully and monitor access to the affected API endpoints. Consider compensating controls such as network segmentation or additional access controls to limit cross-realm API calls. Avoid sharing UUIDs of privileged users across tenants to reduce risk of targeted enumeration.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- GHSA-xqr9-4wvv-gvch
- Osv Schema Version
- 1.4.0
- Aliases
- ["CVE-2026-54641"]
- Ecosystems
- ["Maven"]
- Database Specific Severity
- HIGH
- Cvss Version
- 3.1
Threat ID: 6a4c340527e9c797195f6498
Added to database: 07/06/2026, 23:02:29 UTC
Last enriched: 07/06/2026, 23:13:51 UTC
Last updated: 07/07/2026, 00:20:28 UTC
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.